April 18, 2024 Meetup
St. Louis Linux Users Group
The XZ Hack
Presented By: Andrew Denner
The backdoor in xz and liblzma is a serious near miss that thankfully did not make it into most production linux distributions and could have been far worse if it hadn't been caught by a developer noticing his ssh login took an extra half a second.
This hack is an impressive long con by someone who had been given maintainer status in the tool. We will cover how it worked from a high level, how it almost was a far more serious issue than it is, and what it means for the FOSS world. (Also why this issue is causing me to loose sleep over it)
(This was noted in an ArsTechnica article on March 29 (ie ~ 20 days ago.) Same day, stlLUG members were posting it in our DISCUSS email-list. On April 11, there was a ~5min on-air interview with the MS engineer who discovered it, including comments about open-src vs closed-src. This interview was on the general public's NPR radio. The backdoor seems to have been loose in the public since at least Feb 23?)
CVE-2024-3094.
Spread the word
@SophisticatedSudoer • 9h ago
🔍 Uncover the secrets of 'The XZ Hack' on 2024-04-18 with Andrew Denner! Learn how a half-second delay in SSH login helped identify a major security flaw before it could wreak more havoc! #CVE20243094 #FOSS #Linux #SLUUG https://www.meetup.com/saint-louis-unix-users-group/events/298136396/
Meeting Artifacts and Media
Meeting Agenda
At 6:00p.m. Central Time the meeting opens. Participants are encouraged to join at this time to if they need to test their microphone, screen sharing, and video camera.
At 6:30p.m. Central Time we attempt a quick welcome, introductions, announcements, current events of interest, and a general CALL FOR HELP (Questions and Answers) segment.
At 6:45p.m. Central Time the presentation begins.